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Abstract 

I formalize important theorems about classical propositional logic in the proof assistant 
Coq. The main theorems I prove are (1) the soundness and completeness of natural deduction 
calculus, (2) the equivalence between natural deduction calculus, Hilbert systems and sequent 
calculus and (3) cut elimination for sequent calculus. 


1 Introduction 

Proof assistants (or interactive theorem provers) are computer programs which help to formalize 
and check the correctness of proofs. Proof assistants are used for two things. First, they are used 
for formal verification of hardware or software, which means proving that the hardware or software 
conforms to the specifications. Second, they are used to formally verify mathematical theorems. I 
will only discuss the second use in this paper. 

To prove a mathematical theorem in a proof assistant, the user has to write down the proof in a 
language that the proof assistant can parse, and then the proof assistant will check correctness. 
Usually the proof assistant provides small amounts of automation, so that the user does not have to 
write down every detail. Still, a user typically has to give a lot more details to a proof assistant than 
is usually given on a paper proof. This means that a formalization of a mathematical theorem is 
much more time consuming than proving the theorem on paper, hence most research mathematics 
is not formalized. Still, there are some deep theorems which have been fully formalized in proof 
assistants, such as the four color theorem or Feit-Thompson’s odd order theorem which were 
both formalised by Georges Gonthier in the proof assistant Goq. It is very rare that a new result 
is immediately accompanied by a formalization in a proof assistant, the author knows only two 
instances where this has been done. 

The goal of this project is to formalize some theorems in proof theory in a proof assistant. I chose 
to use the proof assistant Coql^ for this. Coq is a proof assistant based on the predicative Calculus 
of Inductive Constructions, which uses the expressive power of dependent type theory as language. 
It uses constructive reasoning, which is very suitable for the meta-logic of proof theory, since most 
proofs can be given constrictively. 

I have formalized the following three theorems. 

1. The completeness theorem of classical natural deduction calculus. 

2. The equivalence between the classical versions of natural deduction calculus (Nc), Hilbert-style 
deduction calculus (He) and Gentzen’s sequent calculus (Gc). 
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3. Cut elimination for Gentzen’s sequent calculus. 

To simplify, I only proved this for propositional calculus. Formalizing full predicate calculus gives 
rise to additional difficulties such as variable encodings, variable renaming, alpha-equivalence and 
induction over type families such as vectors. 

The following table is a summary of the formalization. The number of lines in each file is rounded. 


file 

Defines 

Proves 

^ lines 

a_base 

Variable 

- 

20 

b_soundness 

Provability in Nc, validity 

Soundness of Nc. 

150 

c_completeness 

Conjunctive Normal Form 

Completeness of Nc. 

400 

d_hilbert_calculus 

Provability in He 

Equivalence of Nc and He. 

100 

e_sequent_calculus 

Provability in Gc 

Equivalence of Nc and Gc. 

200 

f_cut_elimination 

Cut-free sequent calculus 

Cut elimination. 

180 


In total there are just over 1000 lines, 66 theorems and 43 dehnitions. 

In the next sections I will discuss the formalization in more detail. I will focus on the considerations 
which went into the formalization. I will skip all proofs and most Lemmas, but I will give informal 
proof sketches for the main theorems. To view all Lemmas, check the coqdoc html files. To view 
all proofs, check the Coq source files. 

2 Basic Definitions 

In a_base I do some preparatory work, by defining variables. The relevant lines are 
Pciraineter PropVars : Set. 

Hypothesis Varseq_dec : V x y.PropVars, {x = y} + {x ^ y}. 

The first line indicates that the set of (propositional) variables is some set. The second line indicates 
that equality is decidable on this set. Note that since Coq is based on constructive logic, so this 
is not vacuous. This hypothesis is necessary for the completeness theorem. If we did not assume 
this, then one could take for example the constructive reals as variables. It is consistent with the 
constructive reals that all valuations (functions from variables to bool) are constant. This means 
that it is possible that #0 V #1 (we denote variables with ‘#’) is valid, but it is not provable. So 
in this case completeness would fail. These are the only axioms or parameters in the formalization. 
All results work even if there are only finitely many variables, even if there is just one variable, or 
even none at all (though that wouldn’t be a very interesting case). 

We can now dehne formulas in b_soundness. 

Inductive PropF : Set := 

I Var : PropVars —> PropF 
I Bot : PropF 

I Conj : PropF PropF ^ PropF 
I Disj : PropF PropF ^ PropF 
I ImpI : PropF ^ PropF PropF 

Notation P" := (Var P) (at level 1) : My_scope. 

Notation "A V B" := (Disj A B) (at level 15, right associativity) : My_scope. 

Notation "A A B" := (Conj A B) (at level 15, right associativity) : My_scope. 

Notation "A ^ B" := (ImpI A B) (at level 16, right associativity) : My_scope. 
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Notation "±" := Bot (at level 0) : My_scope. 

Definition Neg A := A ^ 

Notation "-i A" := (Neg A) (at level 5) : My.scope. 

Definition Top := ^_L. 

Notation "T" := Top (at level 0) : My.scope. 

In the formalization I used the Unicode character —>■ for implication, but to distinguish it from the 
function type of Coq, I use ^ in this document instead. 

I use defined negation, because that simplifies induction proofs by having one fewer connective. 
Other than this, I take all connectives as primitive. I could have defined conjunction and disjunction 
in terms of implication and falsum and retain an equivalent system, since I only formalize classical 
logic. However, I decided against this, to make the formalization easier to adapt to intuitionistic 
or minimal logic, where these connectives aren’t interdefinable. We defined negation because it is 
definable in all these calculi. 

In an earlier version of the formalization I used a special variable _L which corresponds to the false 
formula. This had as advantages that the variables corresponded exactly to the atomic formulae 
and that there is one fewer induction base case when proving things by induction over formulae. In 
the end I decided against it, since it is more natural to have _L not as a variable, but as a separate 
constant, and the alternative required to define valuations as assigning ‘false’ to the variable _L, 
while no such requirement is necessary now. 

A valuation is an element of the space PropVars —> bool. I define the truth of a formula A under 
valuation v in the obvious way. This allows us to define the validity of formulae. The map ls_true 
sends a boolean value to the corresponding (true or false) proposition. [] denotes the empty list. 

Fixpoint TrueQ v A : bool := match A with 
I # P => t P 
I _L false 

I P V C ^ (TrueQ v B) \ \ (TrueQ v C) 

I P A Q (TrueQ v P) && (TrueQ v C) 

\ B ^ C ^ (negb (TrueQ v B)) II (TrueQ v C) 
end. 

Definition Satisfies v F := V A, In A P ^ Is.true (TrueQ v A). 

Definition Models F A := V ?;,Satisfies v PH>ls_true (TrueQ v A). 

Notation "T N A" := (Models P A) (at level 80). 

Definition Valid A := [] 1= A. 

The notion of provability is naturally defined inductively. I use a context sharing version of classical 
natural deduction. Using the context sharing version simplihes proofs, because changes in the 
context are usually hard to deal with for proofs of meta-theoretic theorems. Note that I am using 
lists, not sets, for the context, because it is easier to reason about lists in proofs. 

Reserved Notation "T h A" (at level 80). 

Inductive Nc : list PropF—PropF-AProp := 

I Nax : V P A , In A P ^ P h A 
I ImpI :VPAP, A::PI-P^P|-A^P 
I ImpE :VPAP, PI-A^P^PI-A->PI-P 
I BotC :VPA,-.A::PI-T^P|-A 
I Andl :VPAP, PhA^PhP^PI- AaP 
I AndEl : V P A P, P h AaP ^ P h A 
I AndE2 : V P A P, P h AaP ^ P h P 
I Orll :VPAP, PhA^Ph AVP 
I Orl2 :VPAP, PhP^Ph AvP 
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I OrE : V r ^ B C, r I- AVB A: -.r C ^ B: -.r c ^ r c 
where "F h A" := (Nc B A) : My.scope. 

Definition Provable A := [] h A. 

This allows us to define the propositions we’re aiming to prove. 

Definition Prop_Soundness := V A,Provable A^Valid A. 

Definition Prop_Completeness := V A,Valid A^Provable A. 

Given those definitions, Soundness can be proved directly by induction on the derivation (no addi¬ 
tional lemmas are needed). Indeed, in the formalization this only requires 17 linesj^ 

Theorem Soundness : Prop_Soundness. 


3 Completeness 

The formalization continues to prove Completeness. I will first give a proof sketch, before I turn 
my attention to the formalization. 

3.1 Proof Sketch 

The formalization uses the following proof. Recall that a literal is an atomic formula or the 
negation of an atomic formula, a clause is a disjunction of literals, and that a formula is in 
conjunctive normal form (CNF) if it’s a conjunction of clauses. Also, a formula is in negation 
normal form (NNF), if it only consists of conjunctions, disjunctions and literals. In this paper I 
will use CNF and NNF as nouns indicating formulae in CNF resp. NNF. 

Proof sketch of Completeness. Let A be a formula, Annf its negation normal form and Acnf its 
conjunctive normal form. We say that a clause is syntactically invalid if either it contains both p 
and ->p for some atomic formula p, or if it contains -iT. We say that Acnf is syntactically valid if it 
contains no syntactically invalid clauses. Then Completeness follows from the following statements 

(1) If A is valid, then Annf is valid. 

(2) If Annf is valid, then Acnf is valid. 

(3) If Acnf is valid then Acnf is syntactically valid. 

(4) If Acnf is syntactically valid then Acnf is provable. 

(5) Acnf —t Annf is provable. 

(6) Annf —t A is provable. 

All statements except (3) are proven by induction to the structure of the formula in question. 
Many of these proofs need additional lemmas, which are also proven by induction. Statement (3) 
is most naturally proved using contraposition, by showing that if Acnf is syntactically invalid, 
then there is a countervaluation v for it. First one does this for a clause. The countervaluation v 
of a syntactically invalid clause C can be defined as v{x) = true iff -<x occurs in C. One can then 

^Counting the lines for theorems Soundness_general and Soundness and for tactics case^bool and prove^satisfaction. 
No other lemmas or tactics are used. 
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show that V is indeed a valuation, and that v makes C false. Then if Acnf is syntactically invalid, 
it contains some syntactically invalid clause C, and the countervaluation for that clause is also a 
countervaluation for Acnf- D 


3.2 Considerations for the formalization 

In the formalization I defined clauses as lists of literals and CNFs (formulae in CNF) as lists of 
clauses. The alternative, to say that only some class of propositional formulae are in CNF, will be 
very hard to work with. One of the problems which one has to deal with is associativity. Which of 
the following do you call clauses? 

{{{x V -ij/) V z) V w {xV (-ij/ V (z V w))) {x V -^y) V (z V w). 

You can call all of them clauses, but then clauses are not in a canonical form, and proving theorems 
about them will probably be harder. Also, induction proofs will be harder, because you’re constantly 
proving or using the fact that some formula is in the shape of a CNF. Using lists, you can make sure 
that all clauses have the same shape of parentheses, and a term of the correct type is automatically 
in CNF. The disadvantage, that you have to define a mapping from clauses to actual formulas, is 
very minor. 

A viable alternative to using lists would be using non-empty lists, i.e. lists which have at least 
one element. When transforming a formula to conjunctive normal form, it turns out we never 
end up with an empty clause (i.e. an empty list of literals) or an empty formula in CNF (i.e. an 
empty list of clauses). Using non-empty lists might be more natural in that case, but I decided 
against this, because I thought this would make meta-theorems harder to prove. With non-empty 
lists, the base case is a list of one element, and that case is probably harder than the case of an 
empty list. However, allowing for empty lists gives an unexpected artefact in the translation from 
lists to formulae. When transforming a clause (a list of literals) to a formulae, it is natural to say 
/(nil) = T (nil is the empty list) and /(a: :l) = a V f{l). However, this means that, for example, 
f{[x; y; z]) = a; V (y V (z V T)) instead of the more natural f{[x] y; z]) = xV {yV z). This poses no 
problems except that it is unnatural. 


3.3 Definitions 


The definitions needed for Completeness are given below, given in c_completeness. 


Inductive NNF : Set := 


NPos : PropVars —> NNF 
NNeg : PropVars —> NNF 
NBot : NNF 
NTop : NNF 

NConj : NNF NNF ^ NNF 
NDisj : NNF ^ NNF NNF 

ixpoint MakeNNF (diPropF) : NNF 


# P => NPos P 
T NBot 


match A with 


B y C ^ NDisj (MakeNNF B) (MakeNNF C) 

B A C ^ NConj (MakeNNF B) (MakeNNF C) 

B ^ C ^ NDisj (MakeNNFN B) (MakeNNF C) 
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end 

with MakeNNFN (^iPropF) : NNF := match A with 
I # P => NNeg P 
I ± => NTop 

I P V C ^ NConj (MakeNNFN P) (MakeNNFN C) 

I P A C ^ NDisj (MakeNNFN P) (MakeNNFN C) 

I B ^ C ^ NConj (MakeNNF P) (MakeNNFN C) 
end. 

Inductive Literal := 

I LPos : PropVars Literal 
I LNeg : PropVars —Literal 
I LBot : Literal 
I LTop : Literal 

The inclusions NNFtoPropF and LiteraltoPropF from respectively NNF and literals to propositional 
formulae are defined in the obvious way. 

In a_base I define the constructor map_fold_right, such that for f : B ^ A, g : A ^ A ^ A, a : A 
and Xi : B we have 

map_fold_right/ga [xo; • • • ;x„] = g{f{xo),g{f{xi), ■ ■ ■ g(/(a;„),a) • • • )• 

The definition is below, and allows us to define the inclusion from Clause and CNF to PropF. 

Fixpoint map_fold_right {A P:Type) {f : B ^ A) {g : A ^ A ^ A) a I := match I with 
I nil ^ a 

I b: :12 ^ g {f b) (map_fold_right f g a 12) 
end. 

Definition Clause := list Literal. 

Definition ClausetoPropF := map_fold_right LiteraltoPropF DisJ T. 

Definition CNF := list Clause. 

Definition CNFtoPropF := map_fold_right ClausetoPropF ConJ T. 

We still need to define the map which transforms a NNF to a CNF. The conjunction of two CNFs 
is just concatenation of the corresponding lists. However, the disjunction is harder to define. Doing 
first the simpler case of taking the disjunction of a clause with a CNF, we see that this corresponds 
to just adding this clause in front of every other clause: 

C V (Cl A C2 A • • •) (C V Cl) A (C V Ca) A • • • , 

see AddClause below {map f I means applying / to every element of 1). We can then define the 
disjunction of two CNFs as follows: 


(CiAC 2 A---)VH (Cl V H) A (C2 V H) A • • • 

where A is an CNF, and where Ci V H is defined using AddClause. This gives rise to the definition 
of Disjunct below. The term flat_map is defined in the Coq library such that ii f : A ^ listH and 
Xi : A then 

flat_map / [xq; • • • ; x„] = f{xo) ++ f{xi) ++••■++ /(a;„). 

This allows us to define the transformation from NNF to CNF. 
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Definition AddClause (/iCIause) (ZZ:CNF) : CNF := map (fun 12 1++12) ll. 

Definition Disjunct {ll //^:CNF) : CNF := flat.map (fun I => AddClause I 112) ll. 

Fixpoint MakeCNF (j4:NNF) : CNF := match A with 
I NPos P ^ [[LPos P]] 

I NNeg P ^ [[LNeg Pll 
I NBot ^ [[LBot]] 

I NTop ^ [[LTop]] 

I NConj B C ^ MakeCNF B ++ MakeCNF C 
I NDisj B C ^ Disjunct (MakeCNF B) (MakeCNF C) 
end. 

Finally, we can define the syntactical validity. 

Definition Valid_Clause (Z:Clause) := In LTop Zv3 A,(\n (LPos A) ZAin (LNeg A) Z). 
Definition Valid.CNF ll := V Z, In Z ZZ^Valid.Clause Z. 


3.4 Formalized Proof 

We now turn to prove the 6 statements described in Section 13.11 

Lemma NNF_equiv_valid : \/ v A, TrueQ v (NNFtoPropF (MakeNNF d))=TrueQ v A /\ 

TmeQ v (NNFtoPropF (MakeNNFN d))=TrueQ v -.d. 

Theorem CNF_equiv_valid v A, TrueQ v (CNFtoPropF (MakeCNF d)) = TrueQ v (NNFtoPropF A). 

Theorem CNF.valid : V ll, Valid (CNFtoPropF ll) ^ Valid.CNF ll. 

Theorem CNF_provable : V ll, Valid_CNF ll —> Provable (CNFtoPropF ll). 

Theorem CNF_impLprov : V A, Provable (CNFtoPropF (MakeCNF A) NNFtoPropF A). 

Lemma NNF.impLprov : V A, Provable (NNFtoPropF (MakeNNF A) ^ d) A 

Provable (NNFtoPropF (MakeNNFN A) ~^A). 

In a previous version I proved CNF.valid with contraposition as described above. In that version 
I needed to first prove that syntactical validity was decidable. In the latest version I prove this 
directly, by showing that a clause is valid if it is valid under the countervaluation for it (which 
assigns true to a variable p iff -<p occurs in the clause). 

This allows us to prove completeness: 

Theorem Completeness : Prop.Completeness. 


4 Equivalence between the calculi 

We now turn to formalizing the equivalence between the natural deduction calculus Nc, Hilbert-style 
calculus He and Gentzen’s sequent calculus Gc. 

4.1 Nc and He 

In d_hilbert_calculus I define Hilbert-style calculus. Natural deduction calculus and Hilbert- 
style calculus are quite similar. The difference is that in Hilbert-style calculus we have axioms, which 
allows us to only have implication elimination (modus ponens) as inference rule. The Hilbert-style 
calculus is defined below. 

Inductive AxiomH ; PropF ^ Prop := 

I HQrll -.-i A B , AxiomH {A ^ AWB) 

I HQrl2 -.y A B , AxiomH {B ^ AvB) 
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HAndl : V A B , AxiomH {A ^ B - 

-- AaB) 


HOrE : V A B G, AxiomH (AvB ^ 

■ (A ^ G) ^ (B ^ G) - 

- G) 

HAndEl : V A B , AxiomH (AaB - 

-A) 


HAndE2 : V A B , AxiomH (AaB - 

-B) 


HS : V A B G, AxiomH ((A ^ B - 

- G) ^ (A ^ B) ^ A - 

- G) 


\HK:y A B , AxiomH {A ^ B ^ A) 

I HCIas : y A , AxiomH ^ A) 

Inductive He : list PropF—PropF-^Prop := 

I Hass : \f A r, \n A r r \-H A 
I Hax : \/ A r, AxiomH A —>■ F hR A 
I HimpE : y r A B, r \-H A ^ B ^ r \-n A ^ r \-n B 
where "F hH A" := (He F A) : My_scope. 

I then prove the equivalence of these systems. 

Theorem Nc_equiv_Hc :VF A, FhA-o-F hH A. 

The proof is not hard. In the direction from left to right, one basically needs to prove that all 
axioms for He are provable in Nc. In the converse direction, one needs to prove the Deduction 
Theorem for He, which states that 

r, A hne B r hne A ^ B. 


4.2 Nc and Gc 

In e_ sequent _ cal cuius I define Gentzen’s sequent calculus. Gentzen’s sequent calculus is quite 
different than natural deduction. In sequent calculus the propositions are sequents of the form 
r h A, where T and A are either sequences, multisets or sets of formulae. A sequent intuitively 
means that the conjunction of T implies the disjunction of A. Instead of having introduction and 
elimination rules as in natural deduction, there are left rules and right rules for each connective, 
which introduce that connective on that side of the sequent. 

I define the sequent calculus in the formalization below. Since lists are easiest to work with, I 
use them in sequents. Usually when lists are used in sequent calculus, there are some structural 
rules allowing to move formulas around in the list. However, having these rules make induction 
proofs very hard, and requires more nonstructural induction proofs, so instead I dehned the sequent 
calculus in such a way that it is possible to apply a rule anywhere in the lists (ordinarily the relevant 
formulas appear only on one end of the lists). I use the symbol D as separator in a sequent. 

Inductive G : list PropF^^list PropF— >Prop := 

I Gax iVAUA, In In AA-^UdA 

I GBot :VrA,ln_Lr^rDA 

I AndL ■.'i A B FI F2 A, F1++A: : B: :F2 D A F1++AAB: :F2 D A 

I AndR ■.'i A B F A1 A2, F D A1++A: :A2 ^ F D A1++B: :A2 ^ F D A1 ++AaB: :A2 

\ OrL -.y A B FI F2 A, F1++A-. :F2 D A ^ F1++B: :F2 D A^ Fl++AvB::F2 D A 
I OrR -.M A B F A1 A2, F D A1++A ::B::A2 ^ F Z) A1++AVB: : A2 
I ImpL :'i A B FI F2 A, F1++B: :F2 D A^ F1++F2 D A: : A ^ F1++A^B: ■.F2 D A 
i ImpR -.y A B F A1 A2, A::F D A1++B::A2 ^ F Z) A1++A^B::A2 

\ Cut : y A F A , F Z) A: :A ^ A: :F Z) A ^ F Z) A 

where "F D A" := (G F A) : My_scope. 

We now turn to proving the equivalence between Nc and Gc. Neither direction is easy. 




In the direction from Gc to Nc we prove that 


TdA Th-y A, 

where V ^ is the disjunction of the formulae in A (similar to a clause, except that the entries can 
now be any formulae instead of only literals). However, proving this directly is very hard, since 
in the definition of sequents we make changes in the middle of the disjunction. This means that 
in every step we have to use multiple or-eliminations and then or-introductions, which gets really 
ugly. Instead, we prove the following intermediate lemma: 

r D A r,^A h _L, 

where -lA is the element-wise negation of formulae in A. In the formalization this looks as follows. 

Definition BigOr := fold_right DisJ _L. 

Notation "\/ A" := (BigOr A) (at level 19). 

Notation "-il F" := (map Neg F) (at level 40). 

Lemma G_to_Nc_Neg : V F A, T D A ^ F++- 1 I A h _L. 

Theorem G_to_Nc :VF A, FdA^FF \/A. 

In the direction from Gc to Nc the major difficulty is proving weakening for Gc. On paper proving 
weakening is not very hard, but in the formalization the fact that we can apply rules anywhere 
in the list, and the fact that the weakening also occurs anywhere in the list, makes it quite hard 
to prove this (for example, we need to distinguish cases in every induction step which of the two 
formulae occurs earlier in the list). 

Lemma WeakL :\/ FI r2 A A, F1++F2 D A F1++A::F2 D A. 

Lemma WeakR -.WFAl A2 A, F Z) A1++A2 F D A1++A: :A2. 

Theorem Nc_to_G :VF A, F \- A ^ F Z) LAI. 


5 Cut Elimination 

In f _cut_elimination I prove the cut elimination theorem. I first introduce the cut-free sequent 
calculus, which has no cut rule. To strengthen the cut elimination a bit, I only allow the axiom 
rule for atomic formulae in the cut-free calculus. I denote the cut-free sequents as F Ac A (I don’t 
give the definition here; it is very similar to the definition G). 

I give a semantic proof for cut elimination. This proof does not generalize easily to predicate 
calculus, the semantic proof for predicate calculus is way more involved. I also tried to give a 
syntactical proof, but failed due to time contraints. 

The semantic proof goes as follows. First we prove soundness of the sequent calculus with cut, 
which states that the conclusion of any derivation (with cuts) is valid. The main part is to prove 
completeness of the cut-free calculus. Suppose that we are given a valid sequent. If no logical 
connectives occur in the sequent, then we prove that we can either apply the axiom rule or the 
falsum rule, using that the sequent is valid. On the other hand, if any connective occurs in the 
sequent, we apply the corresponding rule (in reverse) to eliminate that connective. We can then show 
the hypotheses to the rule are also valid, and they contain fewer connectives than the conclusion. So 
we can use a nonstructural induction to conclude that the hypotheses are provable, which finishes 
the proof. 
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We need the following definitions. The first line defines the notation for a valid sequent. Then we 
define the size of a formula and sequent, which in this case is the number of connectives occurring 
in it. 

Definition Validates v A -.= 3 A, \n A A A ls_true (TrueQ v A). 

Notation "F =D A" := (V t,Satisfies v F—5-Validates v A) (at level 80). 

Fixpoint size A : nat := match A with 
I # P ^ 0 
I _L ^ 0 

I P V C S (size B + size C) 

I P A C => S (size P + size C) 

I P C S (size P + size C) 
end. 

Definition sizel := map_fold_right size plus 0. 

Definition sizes P A:= sizel P + sizel A. 

This allows us to prove the following theorem by induction to n. 

Theorem Gcf_complete_induction ■. M n F A, sizes P A < n ^ F =D A ^ F Dc A. 

Together with Soundness this proves cut elimination. 

Theorem Cut.elimination :VP A, F Z) A ^ F Dc A. 


6 Conclusion and Future work 

In this project I have shown that the proofs of basic but important theorems about propositional 
calculus can be implemented in a proof assistant relatively painlessly. Since many concepts in proof 
theory are naturally definable using induction, Coq’s excellent support for inductive datatypes and 
proofs by induction makes the formalization of this subject relatively easy. The lack of strong 
automation in Coq does require that the user has to focus a lot on details in the proof. 

This project can be seen as a proof of concept for formalizing theorems in proof theory. One can 
extend this project in numerous ways. One can consider nonclassical logics, and prove soundness 
and completeness results about them, like the completeness intuitionistic logic w.r.t. Kripke models. 
Another way to extend this is to consider predicate calculus instead of propositional calculus. This 
has been done in the literature already, for example to prove Gddel’s first incompleteness theorem. El 
Another possible extension is to prove other theorems, like the Beth definability theorem or Craig’s 
interpolation theorem. 
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